Deeplinks Blog posts about Security

Cyber, Cyber, Cyber. The word makes most technical people cringe but it’s all the rage right now in DC and other policy circles. The rallying calls are now familiar and the central pitch is that private entities and networks—the buzzword is “critical infrastructure”—should be strongly incentivized to “share” information with the government. In other words, providers should surrender more of their and their customers’ privacy. There’s much danger there and EFF continues to sound the alarm.

It's an interesting time to be a computer security researcher. Last week, Kaspersky Lab released a report about a new family of malware from an entity they called "The Equation Group". The report demonstrated for the first time that firmware-based attacks, previously only demonstrated in lab settings, have been used in the wild by malware authors. This should serve as a wake up call to security professionals and the hardware industry in general: firmware-based attacks are real and their numbers will only increase. If we don't address this issue now, we risk facing disastrous consequences.

In comments yesterday during a cybersecurity conference at the New America Foundation, the Director of the NSA, Admiral Mike Rogers faced vocal criticism from the tech community (including cryptography expert Bruce Schneier and Yahoo CISO Alex Stamos). The criticism focused on the Obama administration's insistence that it should have access to everyone's encrypted communications via a backdoor, sometimes called a "golden key." Security experts caution that such a magic key, usable only by the "good guys" is—like magic—not actually possible.

We recently learned that PC manufacturer Lenovo is selling computers preinstalled with a dangerous piece of software, called Superfish, that uses a man-in-the-middle attack to break Windows' encrypted Web connections for the sake of advertising. (Here's a list of affected products.) Research from EFF's Decentralized SSL Observatory has seen many thousands of Superfish certificates that have all been signed with the same root certificate, showing that HTTPS security for at least Internet Explorer, Chrome, and Safari for Windows, on all of these Lenovo laptops, is now broken.